75th Plenary meeting

During its February plenary, the EDPB adopted a procedure for the adoption of EDPB Opinions on national criteria for certification and European Data Protection Seals. This document is addressed to all applicants of certification criteria and aims to streamline and facilitate the adoption of EDPB Opinions on certification criteria by clarifying the approval process of national and EU-wide certification criteria, as well as criteria for certification meant as tools for international transfers.

More precisely, this document introduces all the steps that the Data Protection Authorities (DPAs) need to take from the moment they receive the criteria from the scheme owners to the moment they communicate to the EDPB Chair whether they intend to follow the EDPB Opinion.

This document will supersede Internal Document 04/2019 on the procedure for the adoption of the EDPB Opinions on the DPA’s draft accreditation requirements for certification bodies and the DPA’s draft decisions on criteria of certification (the parts related to the procedure for the adoption of opinions on accreditation requirements will remain valid). It will also supersede the EDPB document on the procedure for the approval of certification criteria by the EDPB resulting in a common certification, the European Data Protection Seal.

The EDPB has adopted its new work programme, setting out its priorities and putting the Board’s strategic objectives into practice.

The EDPB will continue to prioritise enforcement building on initiatives such as the Coordinated Enforcement Framework, cases of strategic importance, and the Support Pool of Experts. In addition, the EDPB will keep developing guidance to support and encourage Data Protection Authorities (DPAs) to use of the full range of cooperation tools at their disposal, such as on the mutual assistance duty.

Furthermore, the EDPB will add to its existing catalogue of close to 200 data protection documents and continue its core work on harmonising and facilitating compliance. Among others, the EDPB will continue to ensure consistency of decisions by national DPAs via binding decisions under Art. 65 GDPR and to advise the EU legislator on data protection related matters, such as on adequacy decisions.

In addition, the EDPB will provide further guidance and develop awareness-raising tools on the GDPR for a wider audience. Furthermore, the EDPB intends to develop new guidance, such as on the interplay between the AI Act and the GDPR and on the use of social media by public bodies.

Following public consultation, the EDPB has adopted three sets of guidelines in their final version:

• Guidelines on the Interplay between the application of Art. 3 and the provisions on international transfers as per Chapter V GDPR: The Guidelines clarify the interplay between the territorial scope of the GDPR (Art. 3) and the provisions on international transfers in Chapter V. They aim to assist controllers and processors when identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers. Following public consultation, the guidelines were updated and further clarifications were added. Most notably, a clarification was added regarding the responsibilities of the controller when the data exporter is a processor. In addition, further examples were added to clarify aspects of direct collection, as well as the meaning of “the data importer is in a third country”. Moreover, an annex was added with further illustrations of the examples included in the guidelines to facilitate understanding.
   
• Guidelines on certification as a tool for transfers: The main purpose of these guidelines is to provide further clarification on the practical use of this transfer tool. The guidelines are composed of four parts, each focusing on specific aspects regarding certification as a tool for transfers. The guidelines complement guidelines 1/2018 on certification, which provide more general guidance on certification. Following public consultation, the Guidelines were updated to reflect comments received.
   
• Guidelines on deceptive design patterns in social media platform interfaces: The guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid deceptive design patterns in social media interfaces that infringe on GDPR requirements. The guidelines give concrete examples of deceptive design pattern types, present best practices for different use cases and contain specific recommendations for designers of user interfaces that facilitate the effective implementation of the GDPR. Following public consultation, the final version integrates updated wording and further clarifications in order to address comments and feedback received. In particular, the title of the Guidelines has been modified and the term “dark pattern” has been replaced by the term “deceptive design patterns”. In addition, some clarifications were added, for example on how to integrate the present Guidelines in the design thinking process and a second Annex  was added, providing a quick overview of all the best practices.